Security Auditing and Penetration Test

Due to the rapid and undeniable impact of security reviews and penetration tests on ICT security, Parshan Tech Afazar Company has made this specialized service one of the other axes of activity and providing services to its customers.

Nowadays, penetration testing is used as a legal and reliable assessment method to identify vulnerabilities or system vulnerabilities, both for organizations that use secure equipment and for those organizations that are new to the deployment of software, hardware, and strong networks. Is. A vulnerability test is a method of estimating the security of a computer (usually a server) or a network by simulating an attacker (hacker). Penetration testing is performed to find vulnerabilities in a website, network, and IT infrastructure. The penetration test is performed by security experts and in this test, the processes and techniques used by hackers to penetrate ICT systems are used.

امن سازی شبکه (Network Security) بازبینی امنیتی و آزمون نفوذ

The most important difference between a hacker and a person doing a hacking test is that the hacking test is done with a license and a contract signed with the organization or company and will eventually lead to a report. The purpose of the permeability test is to increase the security of the processing infrastructure and data exchange by the security test. Information and security vulnerabilities identified in the breach are considered confidential and should not be disclosed until they have been fully resolved. But in the case of hacking, there is no such procedure.

The penetration test is performed in the organization for the following reasons:

  • Find security holes in systems, before others can identify them.
  • Provide reports of problems to the organization’s management
  • Inspection of security settings
  • Analysis of alert management monitoring level
  • Security assessment of new technology

Note: The vulnerability test should be performed on all systems, all sites, and infrastructures to minimize the possibility of infiltration by all normal and exceptional users.

Test classification based on the level of information and access of the examiner

Also, the methods used in the penetration test can be changed depending on the amount and possibility of access to the organization’s equipment. How to perform the penetration test can depending on the amount and permission to access the details and components of the system in the form of a black box (lack of access and information about the internal details of the system), white box (full access to internal system details) and gray box (access between black boxes) And white box).

  • Black Box Method – The test taker tests the system assuming that he does not know the structure of the system and lacks sufficient knowledge.
  • White Box Method – The test taker knows enough about the structure of the system, including network diagrams, codes, and IP tutorials, and tests the system with this assumption.
  • Gray Box Method – While the test taker does not conduct a purely blind test, he or she may not be familiar with the entire system structure.

Security assessment layers

  • Assess the security of Internet services
  • Assess the security of applications
  • Personnel safety assessment and social engineering
  • Evaluate the security of wireless networks
  • Assess network and service security
  • Physical security assessment

Penetration Test Standards

OSSTM (Open Source Security Testing Methodology Manual)

OSSTM is a detailed look at the performance of permeability tests, which is based on the analysis of permeability test technology at the time of execution and after, how to obtain the results, security test area, processes, information, Internet technologies, wireless communication devices and so on.

OWASP (Open Web Application Security Project)

OWASP is essentially trying to prove why software is insecure. Its main focus is on web services and applications.

The main goal of the OWASP ASVS software standardization project is to normalize the scope and level of difficulty of a software security review in the market based on business solutions. This standard is a basis for specialized testing of software security mechanisms as well as all specialized environmental security mechanisms that rely on for breaches such as site script (XSS) and database injections (SQL injection). Using this standard can provide a reasonable level of trust in the security of web applications.